In order to have insights of both Azure Cloud and AWS cloud on single dashboard Azure Sentinel can be integrated with AWS CloudTrail Service. This solution is viable when it comes to multi cloud scenario and client wants to stick to existing SEIM tool which is Azure Sentinel.
With the data received by Azure Sentinel, one can quickly build relevant use cases to monitor the wealth of data provided by CloudTrail, allowing AWS users to benefit the services of a powerful cloud based SIEM product without significant redesign of their AWS logging infrastructure.
What is Azure Sentinel?
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
What is AWS CloudTrail?
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
AWS CloudTrail Documentation
Most of the organizations are adopting the new trend of taking a multi cloud approach. Managing security and auditing in all those cloud environments will be a challenging task for administrators and security engineers. Azure Sentinel gives us an option to be used as a single pane to measure all the security related analytics and detection. Azure Sentinel supports numerous data connectors that we can leverage.
Connect your AWS CloudTrail with Azure Sentinel
Before we start following prerequisites needed
How it Works?
First step is to create a workspace log analytic in Azure portal
Second is to create a role in IAM within AWS Account
Third is to add the ID of Azure Sentinel
Make sure Require External ID is selected and then and enter the External ID (Workspace ID) that can be found in the AWS connector page in the Azure Sentinel portal.